One technique to protect a data processing system against computer viruses and other undesirable software entities is to periodically scan the potentially infectable objects (e.g., applications, files, etc.) on the system for the presence of known viruses, or new viruses that are sufficiently similar to known viruses to be detected using available algorithms. However, this process can be time-consuming, especially as the size of data processing systems and the number of known viruses increases.
More particularly, existing anti-virus software makes use of a large variety of algorithms to detect the presence of computer viruses and other undesirable software entities (hereinafter simply referred to as “viruses”.) As the size of a typical system increases, and the number and complexity of known viruses and the objects that they infect increases, the time required to check a typical system for viruses also increases. Various techniques for speeding up these checks are known in the art. In general, most of these known techniques involve improved algorithms for deciding whether a given object contains a virus, independent of any information about the object other than its current contents.
It is known to employ techniques for increasing the speed of virus scanning by maintaining a database of information about the status of scanned objects, at the time the last scan was performed, and then using that database to determine which objects are new, or have changed in significant ways, since the last scan. Reference in this regard can be had to U.S. Pat. No. 5,473,769, “Method and Apparatus for Increasing the Speed of the Detecting of Computer Viruses”, By Paul D. Cozza. Scanning only these objects can significantly reduce the time taken to perform the scan. However, this technique is not effective when one or more new viruses have been added to the set being scanned for. That is, since the new viruses were not scanned for the last time, the fact that an object has not changed since the last scan cannot be taken as indicating that the object need not be scanned this time. This is true since, if the object contains one of the newly-added viruses, the last scan would not have detected the new virus, but the current scan will. These known techniques, then, do not convey any advantage when the list of viruses being scanned for is updated between scans. As new computer viruses continue to appear more and more frequently, and network connectivity makes it feasible to update the virus list more and more often, the effectiveness of these known techniques can be expected to decline significantly.
A general reference to computer virus detection and removal techniques can be found in a publication coauthored by the inventor, “Fighting Computer Viruses”, Scientific American, November 1997, J. O. Kephart et al., pp. 88–93. Reference may also be had to the following commonly assigned U.S. Patents for teaching various computer virus detection, removal and notification techniques: U.S. Pat. No. 5,440,723, issued Aug. 8, 1995, entitled “Automatic Immune System for Computers and Computer Networks”, by Arnold et al.; U.S. Pat. No. 5,452,442, issued Sep. 19, 1995, entitled “Methods and Apparatus for Evaluating and Extracting Signatures of Computer Viruses and Other Undesirable Software Entities”, by Kephart; U.S. Pat. No. 5,485,575, issued Jan. 16, 1996, entitled “Automatic Analysis of a Computer Virus Structure and Means of Attachment to its Hosts”, by Chess et al.; U.S. Pat. No. 5,572,590, issued Nov. 5, 1996, entitled “Discrimination of Malicious Changes to Digital Information Using Multiple Signatures”, by Chess; and U.S. Pat. No. 5,613,002, issued Mar. 18, 1997, entitled “Generic Disinfection of Programs Infected with a Computer Virus”, by Kephart et al. The disclosures of these commonly assigned U.S. Patents are incorporated by reference herein in their entireties, in so far as the disclosures do not conflict with the teachings of this invention.